Posted
by
Soulskill
on Monday November 29, 2010 @01:10PM
from the let's-hijack-their-hijack dept.

Trailrunner7 writes "China has long used the Internet's Domain Name Service to censor Web sites and information that the ruling Communist Party deems threatening. But now security experts warn that the government's censorship is in danger of spilling over China's borders, suppressing the ability of those living outside of China to find information online. An estimated 57% of all networks on Earth passed DNS requests through a Chinese DNS rootserver at some point in 2010, according to data from security firm Renesys. Tampering by the Communist Party there poses a danger to Internet security and freedom. In fact, DNS tampering may be a bigger threat than techniques like BGP (Border Gateway Protocol) hijacking, which is believed to be responsible for an unexpected shift in Internet routing in April that has recently been the subject of mainstream media reports in the US. There is already evidence that China's efforts to tamper with DNS have bled outside the country's borders. The same report to Congress from the US-China Economic and Security Review Commission that called attention to the BGP hijacking incident from April, 2010 also mentions a March, 2010 incident in which Internet users in the US and Chile attempted to connect to social networking websites banned by the Chinese government. However, their DNS requests were handled by a Beijing-based Domain Name Server, which responded with incorrect DNS information that directed the surfers to incorrect servers, the report says."

So, I'm kind of dense, are you implying that the irredeemably evil nightmare that is China is worse or better than than the corrupt (government by bribery) and (police state in training) that is the USofA?

I understand the need for mass replication of the DNS root servers and appreciate both the cultural and technical needs to spread them fairly evenly throughout the world but is it really necessary for China to replicate F, I and J at the root level? Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level? Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?

Yeah, why does anyone trust any root server located in China? (They can set up servers that claim to be root servers all they like, but that doesn't mean the rest of the root servers have to trust them, so why do they?)

Because DNS is fundamentally insecure and there is no way to secure it without a re-write from the ground up. DNSSEC is a bandaid with a limited window of effectiveness. Ultimately, a cache receiving root glue has no way to validate that the glue is the legit root glue. And so they will become poisoned.

DNSSEC *does* prevent against this man-in-the-middle attack, that's in fact its main feature.

You say that a cache receiving the root glue (data about the root servers) has 'no way' to validate that the glue is legitimate. That's totally not true. There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.

There are many ways to validate the data, including verifying against an SSL website, well known public servers, etc.

And how do you get the IP address of this SSL web server? You must look up the domain in DNS. SSL certificates are tied to the domain, not the IP address. If you must use a service you don't trust to get the crypto tokens that allow you to trust it, you cannot trust it.

Because DNS is fundamentally insecure and there is no way to secure it without a re-write from the ground up. DNSSEC is a bandaid with a limited window of effectiveness. Ultimately, a cache receiving root glue has no way to validate that the glue is the legit root glue. And so they will become poisoned.

That's not the point...the update requests you get from the "selected" ones: how do you know those are right? You don't. You're choosing to trust that select few. In this case, also, F, I, and J.root-servers.net are anycast...meaning that the IP you're trusting actually appears in multiple places at the same time, one of which is in China.

Better question: How do you know that the i.root-servers.net system that you're talking to is not the one in China?

Have someone that you trust sign the root data - it can be ICANN, it can be some other organization like FSF or ACLU or whomever you like, it can be any random individual that happens to have your trust and is willing to do the signing periodically.

Would performance and the world perception of a US controlled internet really suffer if China was denied access to the root level?

I think it would. I wouldn't be surprised if China happens to hold some control over the network (if it exists much) in North Korea, and doing something like that might cause even more tensions in what is already a difficult situation.

Let them replicate all 13 for their internal use but remove any server's root status if the server is hosted in China... Maybe I'm missing something here but is this not a reasonable stance on preventing this type of collateral damage?

NOOOOO! We must rebuild the entire interweb! Tiered service plans with CIA backdoors and automatic killswitches for stolen intellectual property!

Actually, no, the Root server operators do not need access to the private key used for key-signing. They only get a copy of the root zones, all signed ahead of time.

DNSSEC would solve this from a mis-information stand-point. It doesn't stop it from a DoS attack (just not answering, or even answering with bogus DNSSEC replies, which the DNS resolver will discard, but the end result is that you don't get your query answered).

Root servers point to top-level domains. com, net, org, cn, us, uk... these would all have their own keys. China would only have access to one of those. As pointed out by others, the roots are pre-signed and just passed around for mirroring.

This doesn't prevent China from doing various nuisance activities such as replying with unresolvable, bogus unsigned answers, or bogus answers with wrong signers. That said, you'd at least have some level of verification available that a DNSSEC signed answer is appropria

The only problem with that is when IPs change. For major sites, it doesn't happen often, but when it does it may toss you through a loop.

You might find it easier (and more efficient) to just build yourself a caching nameserver and set the TTLs high (hell you can do this on the workstation itself). Couple this with your existing method if you wish, there's no reason they can't work together.

I just don't get what APK's deal is. He is clearly ignorant/misinformed and surely knows better...but I don't think I have ever seen a more dedicated troll than WillyonWheels. I mean..., he has been posting this same shit for years now, slightly customizing it for each story. It must be nice to have that much free time.

Or they could just install a DNS caching server, it's not that hard. And besides the static hosts information, it would also share the DNS cache between all the clients, so if two of them accessed the same sites, it would be faster for the second client.

I use dnsmasq myself often. I thought that people in organizations that fear government censorship are better with a hosts file on each computer than with a number of dns caches. The response can still be spoofed or the servers DoSed. Git can do signed commits and updates over ssh.Also one could exploit virtual hosting configuration and gave a server that returns normal content if accessed through its normal domain, and special content if accessed through an entry in the hosts file (good against casual surf

Wikileaks is a government operation. China is well aware of that. Just like (if you did read Wikileaks) the US was well aware of China's attack on Google but chose not to tell anyone. China and US are on much better foot that you think, the theater is just for the populace.

u.s. just grabbed 12 domain names, on the whim of some private interests inside usa. not only that they dropped an 'for other purposes' clause, in the bill/whatever that is going to allow them to do more.

'for other purposes'. you can even put 'daydreaming' in it, and legally grap domains that help people daydream.

This case wasn't about one site pretending to be another. These were domain names allegedly used in copyright infringement activities. Domains used by others for typo-squatting is usually done through the courts system quite successfully.

So do we need a new way of describing DNS servers ?We also probably also need a new way of describing DNS entries so you can tell the difference between an actual DNS for a site and a DNS for an edge caching site.

How? How many clients will actually work their way up the chain to resolve against the hosted DNS server? That makes any initial engagement with raw (or cache expired) domains much slower. For a web site that is a looking for drive by service, this would be less appealing than say going to a Google derived alternative which is always well buried in cache. If you really want is a way of verifying that the upstream data source isn't tampered with, and I'm sorry but that's not going to happen, at least not on

DNSSEC. If the root-zone keys are distributed through an independent channel (ie. downloaded from ICANN and loaded into the local resolver/server software configuration), then even running a root DNS server won't let you forge responses for any part of the DNS tree you don't actually control (ie. have the private keys to generate new signatures for).

Its quite a bit different. China is attempting to control the internet, most likely for use as propaganda and as leverage in a cyber conflict. The DHS is being used by special interest groups to enforce IP law.

I mean I am not condoning everything the Chinese do but nationalism isn't always a bad thing and there wouldn't BE a cyber conflict without the US. Essentially what you've got is 1 country attacking another country and you've got 1 country attacking it's own citizens. Which is which and which is worse?

I think the term "illegal" isn't the right one to use. Which one is more immoral is probably more accurate.

One country is revoking DNS service for a relatively small list of sites when its investigations show these sites violate that nation's (and in some cases international) trade or copyright laws. These sites are shut down without due process or prior notification. There is fear that if unchecked, this power could be extended to remove ideas that are unwelcome to those in control of these mecha

I did actually read your whole post. Either way you swing it its the rich/powerful controlling the lesser classes. In China, the higher-ups in the party want to control the workers otherwise they lose their status and benefits. In China, I would bet career politicians have opulent lifestyles far surpassing the average worker. Here in the US you have huge disparities in wealth whereby 10 percent of the population controls 70 percent of the wealth. Furthermore, In the US you have career politicians that get h

"Illegal" is a word whose meaning is quite relative. It also leads to discussion about whether or not a law is just even if the law itself is plain. Enforcing a "whites only" bathroom law might be an easy to appreciate law that is unjust. Many people hold that copyright law in the U.S. is unjust and I certainly support that. (I wouldn't download stuff nearly as much if content from 14 years ago actually went into the public domain -- I'd be busy being all retro in my downloads) But that's not how it is

If only you could mod servers up or down, giving them some sort of reputation history. The your OS could determine a trusted anchor based on a server's "karma" and your requirements*. A system parallel to DNSSEC for apportioning, updating, and validating trust.

* yeah, I'm borrowing Slashdot terminology. But what the heck, it kind of works.

If only you could mod servers up or down, giving them some sort of reputation history. The your OS could determine a trusted anchor based on a server's "karma" and your requirements*. A system parallel to DNSSEC for apportioning, updating, and validating trust.

Doesn't china have like, 1.2 billion people? If all the people in china mod up the Chinese DNS servers, and a the people in the US mod them down, I'm pretty sure they will still have a pretty good score...

BGP knows filters and communities. It's just that those need to be setup by admins, which often don't feel like doing the work and will tell you it's too complex to deal with such a large dynamic network as their.

Because I can damn well tell you that spilled over into other New England area networks, including the SAVVIS and Cogent networks in Boston area. Comcast says their DNS system failed, so how the fuck does a DNS attack knock out all the peering/routing/IP transport up there?

That whole thing smells bad, and I wonder if anyone knows the truth about wtf happened.

Thanks to the American people for allowing their government and corporations to participate in these deals. Did you call your ISP and complain about their use of a company that actively participates in subjecting over a billion people to heavy censorship? I didn't think so.

De-root is a useless measure. You don't trust China, someone else doesn't trust some other country hosting a root. DNSSec is the only acceptable solution currently available.

Also it's a little naive to think that Chinese cyberspace ends at it's physical borders. China's telco's have controlling stakes in many foreign communications companies as well. Not to mention lots of western ISP's are installing Huawai equipment, etc, etc.

Tell me, why is it still possible for private parties to change things like this on a whim?
There needs to be a system where if the domain record returned from a dns server differs from the ones returned by say 4 others is different, it is discarded and the record returned by the 4 dns servers is used.

Nice idea, but this doesn't help one bit if the censorship is done close to home. E.g. on "my" network I intercept DNS and have my name server send the reply. It doesn't matter if the users are talking to Google DNS, OpenDNS or some other service, it's always my DNS server that replies. DNS is extremely easy to intercept and spoof.

Since when are you obligated to use the Chinese root servers? And have you heard of DNSSEC? This is really just an issue of lazy admins. Same story with the root SSL certificates browsers ship with that include a lot of questionable organizations and governments. You are free to remove them, and no, it's not hard. The BGP hijack was no different. Carriers that have their shit organized have their filters configured and would not participate in the hijack.

If you were found to be tampering with DNS, at the very least you'd have your internet service cut off, at worst you'd be arrested. The equivalent of "arresting" China would be called "World War III" and that's not going to happen (yet). We can, however, cut them off from the rest of the internet, can't we? Why haven't we? They refuse to behave, they don't own the internet (nobody does and everybody does, really), they don't have the right to do this. Cut them off until they learn to behave. Besides, to hea

Yeah, I'm sure she's real proud of the high regard you hold her in, referring to her in such a manner. Do you fondly refer to her in casual conversation as "my slant-eyed sweetie"?Also, you're French, your whole country hates us, so I'm supposed to listen to you why?By the way, how are those rapant human rights violations sitting with you, friend? You're living there and married to someone of Chinese ancestry, you might just be as OK with those as you apparently are with every other crappy thing that the Ch

I've had so many DNS problems in Asia (not China) and 8.8.8.8 solved them all. It was such a problem while I was there that I'd log into any default password routers in the hotels I stayed at and change their configs to that.

On top of that, since China is responsible for hacking Google earlier this year, Google will be taking special care to make sure their services will be protected from future attacks, and thus will likely fortify their DNS against root hijacking.